This documents how to add a TPM2-backed key to an existing LUKS root partition, first done with EndeavourOS in June 2023. In particular, it covers the dracut (instead of mkinitcpio) and systemd-cryptenroll (instead of clevis). Previously, we used clevis but this was slow to act while booting.
- Have a LUKS partition using LUKS2. If you're using LUKS1, this can be upgraded with
sudo cryptsetup convert --type luks2 /dev/nvme
. If you've previously used clevis, this may leave metadata which breaks the upgrade. This can be removed withsudo luksmeta nuke -d /dev/nvme
. - Add the tpm2-tss module to dracut by creating
/etc/drcaut.conf.d/tpm.conf
with the following content: